1. DocumentsRequired
4.3 The scope of the ISMS
5.2 Information security policy
6.1.2 Information security risk assessment process
6.1.3 Information security risk treatment process
6. 1.3 d) The Statement of Applicability
6.2 Information security objectives
7.2 d) Evidence of competence
7.5.1 b) Documented information determined by the organisation as being necessary for the
effectiveness of the ISMS
8.1 Operational planning and control
8.2 Results of the information security risk assessment
8.3 Results of the information security risk treatment
9.1 Evidence of the monitoring and measurement of results
9.2 A documented internal audit process
9.2 g) Evidence of the audit programmes and the audit results
9.3 Evidence of the results of management reviews
10.1 f) Evidence of the nature of the non-conformities and any subsequent actions taken10. 1 g)
Evidence of the results of any corrective actions taken
Many of the controls in Annex A also assert the necessity of specific documentation,
including the following in particular:
A 7.1.2 and A.13.2.4 Definition of security roles and responsibilities
A 8.1.1 An inventory of assets
A 8.1.3 Rules for the acceptable use of assets
A.8.2.1 Information classification scheme
A.9.1.1 Access control policy
A 12.1.1 Operating procedures for IT management
A 12.4.1 and A.12.4.3 Logs of user activities, exceptions, and security events
A 14.2.5 Secure system engineering principles
A 15.1.1 Supplier security policy
A 16.1.5 Incident management procedure
A 17.1.2 Business continuity procedures
A 18.1.1 Statutory, regulatory, and contractual requirements